14 April 2022

Following the ruling of Court of Justice of the European Union in 2020, invalidating the Privacy Shield, it has become significantly more difficult to comply with the GDPR for companies transferring personal data from the EU to the US. What changes will the new Transatlantic Privacy Shield Framework announced last month with a view to replace Privacy Shield bring for these EU companies? In this short article, we explain the principles of the new Framework and answer the above question.

1. Background

Before presenting the new Transatlantic Privacy Shield Framework (“Framework”), it is necessary to sum up the background that makes the new rules on personal data transfers between the EU and the US necessary at all.

The legislation that preceded the new Transatlantic Data Protection Framework, the so-called Privacy Shield came into force in 2016. US companies could register under the Privacy Shield and once they did so, the European Commission recognised that the US provided adequate protection for personal data transferred to such companies. This meant that no additional safeguards were needed for data transfers to such companies.

However, the GDPR, which entered into force in 2018, required a higher-level data protection from third countries. The Court of Justice of the European Union “(CJEU”) concluded in the 2020 Schrems II judgment[1] that US law did not provide adequate judicial protection for those whose personal data transferred to the US was made available to national security organisations under the relevant US rules.

Consequently, the CJEU found that the Privacy Shield did not provide adequate protection under the GDPR and invalidated it.

The Schrems II judgment has left companies transferring personal data to the US in an uncertain situation, as they could no longer transfer personal data to the US under the Privacy Shield.

EU-US data transfers have of course not stopped, but parties making such transfers should apply a complex set of rules providing other additional safeguards, most commonly the standard data protection clauses adopted by the Commission, which we have described in detail in our previous article. 1

2. Basic principles of the Transatlantic Privacy Framework

The main purpose of the new Framework is to fill the gaps in the Privacy Shield and thus provide adequate safeguards for EU-US personal data transfers.

To ensure the above, the Framework will

  1. allow personal data to flow freely and safely between the EU and participating US companies;
  2. limit the scope of personal data accessible by US national security services to the extent necessary and proportionate;
  3. introduce a new two-tier redress system to investigate and resolve complaints of EU individuals regarding such access, in which the Data Protection Review Court is established;
  4. maintain strict obligations on companies processing personal data transferred from the EU, requiring US companies to continue to demonstrate compliance with the principles set out by the US Department of Commerce.
  5. introduce specific monitoring and review mechanisms.

3. Next steps

The EU and US will implement the principles now agreed into their respective legal systems. The US commitments will be translated into an Executive order, which will form the basis for a Commission adequacy decision.

4. What will be the benefits of the Transatlantic Privacy Framework?

Once the Framework is established, it will significantly simplify the procedures for companies that regularly transfer personal data to the US.

In fact, the adoption of the Framework will "restore" the situation prior to the Schrems II ruling, i.e. the data processing of US companies that have registered in the Framework will be assessed by the Commission as providing an adequate level of protection.

For companies, this could provide for simpler and less costly data transfers between the EU and the US, as they will not need to apply, monitor, and amend specific standard data protection clauses to ensure the lawfulness of personal data transfers to the US.

However, it should be noted that at this stage only the principles of the new Framework have been agreed between the EU and the US, so it is likely to be a longer period before the Framework is adopted. Until then, companies should continue to apply the standard data protection clauses.

5. Summary

Following the invalidation of the Privacy Shield, the situation for companies that transfer a large amount of personal data to the US has become more difficult, as companies now should apply specific data protection clauses to each transfer to the US.

The EU and the US would address this problem by establishing the Transatlantic Privacy Framework.

Based on the recently adopted principles of the Framework, the US will provide the effective legal protection that has been missing until now, as well as the right to an adequate judicial remedy for those whose personal data are made available to US national security organisations.

Adoption of the Framework would significantly make it easier to transfer personal data from the EU to the US, but this is likely to be a long time coming, so companies will need to apply the general data protection clauses to their transfers in the meantime.


[1] Case No. C-311/18